The Green Sheet Online Edition

A slew of recent data breaches have security experts and government authorities scrambling to fix security loopholes and identify possible sources. In the most recent attack, Epsilon Data Management LLC, an online marketing unit of Alliance Data Systems Corp., reported customer data was exposed by an unauthorized entry into Epsilon's email system, affecting approximately 2 percent of its global client base of 2,500 companies.

Epsilon detected the breach on March 30, 2011, and notified clients that the information obtained was restricted to email addresses and customer names. Since the incident occurred, a growing number of companies affected by the breach have stepped forward. Citigroup Inc., HSN Inc., Kroger Co., Walgreen Co., and Walt Disney Co.'s travel subsidiary, Disney Destinations, are among the affected companies.

In a follow-up statement Alliance Data also confirmed that, "No personal identifiable information (PII) was compromised. PII includes such data as Social Security numbers, credit card numbers and account information. Epsilon is working with authorities and external experts to conduct a full investigation to identify those responsible for the incident while also implementing additional security protocols in its email operations."

Post-attack threats

According to Nicholas Percoco, Senior Vice President and head of Trustwave's Spiderlabs, once a breach occurs, culled data can be used in further attacks. "The attackers have that data," he said. "There is likely a lot of data here, probably 100 million names and email addresses, if you add up all these major vendors who were affected. The attackers right now have a mound of data they need to sift through and decide what their next steps are."

Percoco said follow-up attacks might include low-level phishing and spam attacks to gather additional information. "They can hone their attack even further by sending crafted emails to just the people they know who are customers of Merchant X or Card Issuer Y," he said. "That becomes even more targeted, something along the lines of what we call 'spear fishing,'" which involves attackers targeting specific consumer groups or high-profile names in government or corporations.

Anticipating increased email activity within the customer and client environment impacted by the breach, Epsilon President Bryan Kennedy stated, "We apologize for the inconvenience that this matter has caused and for the potential unsolicited emails that may occur as a result of this incident."

Percoco advised merchants to step up their fraud monitoring through third-party fraud alert systems that identify abnormal activity. And for those affected by the breach, he recommended communicating with customers to prevent furtherance of the attack. He suggested, for example, that merchants provide guidelines so customers know what kind of communication to expect from them; these could be simple statements such as, "We will not send you an email and ask you to click on a link to update your profile information or log into our site."

A persistent trend

Statistical data from the Privacy Rights Clearinghouse, a nonprofit consumer organization that reports data breaches and provides consumer education, suggest that data breaches will continue to persist as a trend. In 2010, a total of 595 breaches were reported by the PRC, with 12,313,609 records exposed.

In the first quarter of 2011, PRC reported that 144 breaches have exposed 4,953,195 records. As the Epsilon breach unfolds, the number of records exposed this year will likely surpass 2010's total. Further, Epsilon is not the first to have its email system breached. In February 2011, hackers extracted 60,000 business emails from HBGary's network, potentially exposing sensitive information about its customers. The Sacramento, Calif.-based security company provides continuous cyber-security protection for government agencies and Fortune 500 companies.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.